Skip to content
forked from fgsect/scat

SCAT: Signaling Collection and Analysis Tool

License

Notifications You must be signed in to change notification settings

CrackerCat/scat

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

59 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

SCAT: Signaling Collection and Analysis Tool

This application parses diagnostic messages of Qualcomm and Samsung baseband through USB, and generates a stream of GSMTAP packet containing cellular control plane messages.

Requirements

On PC

Only tested in Linux, mostly various versions of Ubuntu. Python 3 is a minimum requirement, and the following external modules are required:

To properly decode GSMTAP packets generated by SCAT, Wireshark 2.6.0 or above is required. For older Wireshark releases, we are providing a Wireshark Lua plugin to extend the GSMTAP dissector. GSMTAP definition used by SCAT is based on libosmocore 0.11.0.

Smartphones

Cellular device must expost the diagnostic port via USB. This is largely device-dependent and we can not give generic solution for all devices. Search the Internet with keyword (your device name) qpst to get the method of exposing the diagnostic port for Qualcomm-based smartphones.

  • Samsung: Enter *#0808# in dialer, select any USB mode entry containing DM.
    • Korean models: Enter 3197123580 in dialer, password is either 996412, 776432, 0821.
    • Certain version of firmwares after 2018 are blocking the access to the hidden menu with the abovementioned code. Currently no solution is known without rooting the phone (correction wanted).
  • LG: Enter 277634#*# in dialer (TODO: exact location of USB test menu)
    • On some LG devices, diagnostic ports are not exposed in Linux even after enabling the USB testing mode. This is due to multiple USB device configuration used; udev rules changing the current USB configuration is recommended in such devices.
  • Sony: Rooting required. Get a rooted adb shell and enter the command setprop persist.usb.eng 1.
  • Nexus: Rooting required. Get a rooted adb shell and enter the command setprop sys.usb.config diag,adb.
    • Not working for Pixel devices!
  • Sailfish OS: (TODO: how to modify usb-moded settings)

Usage

While we recommend using USB directly to access the diagnostics port, if your smartphone's diagnostic port is accessible via serial port, using it is also possible. The qcserial kernel module do not have the information of diagnostic port of all Qualcomm-based smartphones, and no such module exist for Samsung-based smartphones.

Accessing the baseband diagnostics via USB:

$ scat.py -t qc -u -a 001:010 -i 2

The first -t qc defines that we are parsing a Qualcomm baseband. For Samsung baseband, use sec instead of qc and you need to supply the model manually like this example:

$ scat.py -t sec -m e333 -u -a 001:006 -i 2

Available model types are following:

  • -m cmc221s: CMC221S, used in very early Samsung LTE modem/smartphone.
  • -m e303: Exynos modem 303.
  • -m e333: Exynos modem 333.
  • Newer Exynos modems might work with -m e333 option, YMMV.

-u specifies that we are accessing the diagnostic device via USB.

Although there are small heuristic to determine the connected device, it is recommended to explicitly specify the USB device address and interface number of diagnostics node. -a 001:010 specifies the address, which follows the same syntax visible in lsusb command. -i 2 specifies the interface number of the diagnostic node, which is again device specific.

Accessing the baseband diagnostics via serial port:

$ scat.py -t qc -s /dev/ttyUSB0

Replace /dev/ttyUSB0 to what is your diagnostic device.

By default, SCAT will send packets to 127.0.0.1, control plane packets to UDP port 4729 as GSMTAP, user plane packets to UDP port 47290 as IP.

Exit the application with Ctrl+C.

Advanced Options

Destination to send the GSMTAP packet could be changed using -H 127.0.0.2 switch. For example, this command will send all packets to 127.0.0.2:

$ scat.py -t sec -m e333 -u -a 001:006 -i 2 -H 127.0.0.2

You may want to use the following command to be able to easily sort it with Wireshark:

ifconfig ethUSB 127.0.0.2 netmask 255.255.255.0 up
sudo route add -net 127.0.0.0 netmask 255.255.255.0 gw 127.0.0.1

It is possible to automatically determine the USB bus address by using other command's outputs. Following example is for Samsung Galaxy S5 Mini:

    val=$(lsusb | awk '/Samsung/ {print substr($4, 1, length($4)-1)}')
    sudo ./scat.py -t sec -m e303 -u -a 001:$val -i 4 -H 127.0.0.2

Tested Devices

Following devices are tested by the authors and contributors:

Device Name/Model Processor Baseband Required Arguments Rooting Required? Note
Nokia 8110 4G (TA-1048) Snapdragon 205 MSM8905 X5 -t qc Yes
Google Nexus 5 (LG-D821) Snapdragon 800 MSM8974 MDM9x25 -t qc Yes
Google Nexus 5X (LG-H791) Snapdragon 808 MSM8992 X10 -t qc Yes
Google Pixel 2 (G011A) Snapdragon 835 MSM8998 X16 -t qc Yes Modification of system partition is also required
LG G Flex 2 (LG-H955) Snapdragon 810 MSM8994 X10 -t qc No
Sierra Wireless EM7455 - X7 (MDM9635) -t qc -
Sony Xperia X (F5122) Snapdragon 650 MSM8956 X8 -t qc Yes
Samsung Galaxy S III LTE (SHW-M210K) Exynos 4412 CMC221S -t sec -m cmc221s No
Samsung Galaxy S4 LTE (GT-I9505) Snapdragon APQ8064T Qualcomm MDM9215 -t qc No
Samsung Galaxy S5 Mini (SM-G800F) Exynos 3470 Exynos Modem 303 -t sec -m e303 No
Samsung Galaxy S6 (SM-G920F) Exynos 7420 Exynos Modem 333 -t sec -m e333 No/Yes
Samsung Galaxy S6 Edge+ (SM-G928F) Exynos 7420 Exynos Modem 333 -t sec -m e333 No/Yes
Samsung Galaxy S8 (SM-G950F) Exynos 8895 Exynos Modem 355 -t sec -m e333 No/Yes

Note that we did not listed every Qualcomm-based devices here.

Known Bugs

Issues related to exposing the diagnostics port via USB is out of scope.

  • On certain Qualcomm devices, after exiting and launching the application for more than once, initialization eventually hangs and no messages are appearing. Root cause still in investigation. Solution: reboot the smartphone.
  • On certain Samsung devices, metadata information like EARFCN is missing or control plane messages are not appearing. We are aware of issues and please notify us about your environment to fix this.

License

SCAT is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

References

We are kindly asking any academic works utilizing and/or incorporating this software to cite one of these references listed below:

  • Byeongdo Hong, Shinjo Park, Hongil Kim, Dongkwan Kim, Hyunwook Hong, Hyunwoo Choi, Jean-Pierre Seifert, Sung-Ju Lee, Yongdae Kim. Peeking over the Cellular Walled Gardens - A Method for Closed Network Diagnosis -. IEEE Transactions on Mobile Computing, February 2018.

About

SCAT: Signaling Collection and Analysis Tool

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 97.0%
  • Lua 3.0%